Edit

Deploy Defender for Containers to private clusters

Private clusters isolate Kubernetes environments from the internet and, in this context, restricted connectivity means no direct access to the Kubernetes API server. Defender for Containers extends threat detection and security visibility to these environments, so you can maintain protection coverage while preserving private cluster network boundaries.

Prerequisites

Before you begin, ensure the following prerequisites are met:

  • Defender for Containers is enabled for your target environment.

  • If you're deploying by using Helm, make sure helm, curl, and jq are installed and available in your command-line environment.

    To check whether the tools are available, run:

    helm version
    curl --version
    jq --version
    
  • If you're deploying by using an Azure Arc-enabled Kubernetes extension, ensure that:

    • Your cluster connected to Azure Arc.
    • The Azure command-line interface (Azure CLI) is installed and you're signed in.

Install components for private clusters

Defender for Containers Helm charts are published to mcr.microsoft.com/azuredefender/microsoft-defender-for-containers. Private clusters are supported in 0.11.X chart versions. Use the following tabs to install the components for your environment.

You can list the published versions by running the following command:

curl https://mcr.microsoft.com/v2/azuredefender/microsoft-defender-for-containers/tags/list

To install the latest 0.11.X chart and enable private cluster components:

helm install defender-k8s oci://mcr.microsoft.com/azuredefender/microsoft-defender-for-containers \
  --create-namespace \
  --namespace mdc \
  --set global.cloudIdentifiers.AWS.accountId="<aws-account-id>" \
  --set global.cloudIdentifiers.AWS.region="<cluster-location>" \
  --set global.cloudIdentifiers.AWS.clusterName="<cluster-name>" \
  --set microsoft-defender-for-containers-sensor.inventoryCollector.enabled=true \
  --set microsoft-defender-for-containers-sensor.configController.enabled=true

Verify the deployment

To verify Helm-based deployment status:

helm list --namespace mdc

To verify the Azure Arc extension deployment:

az k8s-extension show \
  --name microsoft.azuredefender.kubernetes \
  --cluster-type connectedClusters \
  --cluster-name $ARC_CLUSTER_NAME \
  --resource-group $ARC_RESOURCE_GROUP